Every click, every page load, every API call begins with a DNS lookup. Explore the distributed system that translates names to numbers β interactively.
When you type a URL, your device triggers a multi-hop lookup that bounces between up to 4 different server types. Click each step to trace the packet.
DNS zones are made of records. Click any card to see a real-world example and how the record is structured.
TTL (Time To Live) controls how long each layer caches a DNS response. Start the simulation to see all four cache layers count down simultaneously.
β‘ Simulation runs at 60Γ speed. Browser ignores TTL and uses its own 60s cap.
DNS doesn't "propagate" β there's no broadcast. Each resolver independently caches the record and waits for its TTL to expire. Watch 24 resolvers worldwide update at different times.
Every DNS exchange is a fixed-format message. Toggle between query and response to see exactly what's on the wire.
DNS was designed in 1983 with no built-in authentication. These three attack classes exploit that trust.
An attacker races to inject forged responses matching the 16-bit Transaction ID before the legitimate answer arrives. The 2008 Kaminsky attack targeted random subdomains (never cached) to get unlimited attempts, injecting rogue NS records to hijack entire zones.
Small queries with spoofed source IPs sent to open resolvers generate 28β54Γ larger responses, flooding the victim. The 2016 Dyn attack (1.2 Tbps via Mirai botnet) knocked Twitter, Reddit, and Netflix offline simultaneously.
Arbitrary data encoded in subdomain labels (base32 upstream) and TXT records (base64 downstream). Low throughput but nearly invisible β the SolarWinds SUNBURST attack used DNS-based command and control.